Solving the Running Key Cipher with the Viterbi Algorithm

Total Page:16

File Type:pdf, Size:1020Kb

Solving the Running Key Cipher with the Viterbi Algorithm Cryptologia ISSN: 0161-1194 (Print) 1558-1586 (Online) Journal homepage: http://www.tandfonline.com/loi/ucry20 Solving the Running Key Cipher with the Viterbi Algorithm Alexander Griffing To cite this article: Alexander Griffing (2006) Solving the Running Key Cipher with the Viterbi Algorithm, Cryptologia, 30:4, 361-367, DOI: 10.1080/01611190600789117 To link to this article: https://doi.org/10.1080/01611190600789117 Published online: 22 Nov 2006. Submit your article to this journal Article views: 127 Full Terms & Conditions of access and use can be found at http://www.tandfonline.com/action/journalInformation?journalCode=ucry20 Cryptologia, 30:361–367, 2006 Copyright Taylor & Francis Group, LLC ISSN: 0161-1194 print DOI: 10.1080/01611190600789117 Solving the Running Key Cipher with the Viterbi Algorithm ALEXANDER GRIFFING Abstract The Viterbi algorithm is able to reconstruct most of the plaintext from running key ciphertext most of the time using 6-gram letter statistics. Keywords cryptanalysis, running key cipher, vigene`re cipher, viterbi algorithm Introduction Under the simplifying assumption that the running key cipher is a random cipher [11], it should have a unique solution if and only if the redundancy of the message and key is at least 50%. This is because the output of the encryption (ciphertext) is half as long as the input (message plus key). In this paper we use a model of written English that can detect this much redundancy, and we note that the Viterbi algorithm [10, 13] finds the most likely solution to a running key cipher with respect to this model. The algorithm was tested on 100 English (message, key) pairs, and usually the message and key were mostly recovered. This method is shown to be an improvement on an earlier approach [1]. This article is a follow-up to [5], which shows how the Viterbi algorithm can solve running key ciphers in which the spaces are kept in the message and key, and for which the letters of the message and key are combined using bitwise XOR. Running Key Cipher The running key cipher combines a message and a key, each N letters long, to make a ciphertext of length N. During enciphering, each letter of the message is shifted against the corresponding letter of the key, as shown in Figure 1. It is equivalent to a Vigene`re cipher with a period as long as the message. For this article, both the message and the key are assumed to consist of English language text from which all spaces and punctuation have been removed, and for which the remaining 26 letters are considered without regard to case. This paper explains how to estimate the message and key from the ciphertext. Summary of a Previous Automated Attack Bauer and Tate [1] enciphered the first 1000 letters of Dracula using the first 1000 letters of The Cask of Amontillado as the running key [12, 9]. The resulting ciphertext was partitioned into disjoint n-letter blocks that were each solved separately. Address correspondence to Alexander Griffing, 3930 Jackson St., Apt. Q-311, Raleigh, NC 27607, USA. E-mail: [email protected] 361 362 A. Griffing Figure 1. To encipher a message using a running key cipher, letters at corresponding positions in the message and the key are converted to numbers and added together modulo 26. The resulting numbers are then converted back into letters. Letters ‘A’ through ‘Z’ are numbers 0 through 25. As shown here, it is possible for different (message, key) pairs to generate the same ciphertext. To solve a block, they iterated through all n-letter keys, recording the corre- sponding message that would produce the observed ciphertext block. The key for which the product of the probability of the key and the probability of the corre- sponding message was highest was chosen as the recovered key for that block. Unsmoothed frequencies of n-grams observed in a training set were used as the prob- abilities. They used n-gram sizes up to 6 and training sets including and excluding the message and key, but no more than about a third of the unordered letter pairs were recovered. Maximum Likelihood Finding the best solution to a running key cipher means finding the (message, key) pair that maximizes the value of some objective function, given the ciphertext. Using the principle of maximum likelihood estimation, we choose the objective function to be the probability of observing the (message, key) pair given a language model. Because a ciphertext and a key uniquely determine the message, the problem is equivalent to finding a key such that the probability of observing the key and the corresponding message is maximized. The key and the message are both assumed to be English language texts, and the probability of observing text x is Pðx1 ...xN Þ where xi is letter i of the N-letter text. This can be rewritten using con- ditional probabilities: YN Pðx1 ...xN Þ¼Pðx1Þ Pðxijx1 ...xiÀ1Þ i¼2 The key and message are assumed to have been picked independently by the enci- pherer, so the joint probability is the product of their marginal probabilities. So how are the conditional probabilities calculated and how do we search efficiently for the maximum likelihood key? By making simplifying assumptions about English language text, a Markov chain can be used as the language model that generates the conditional probabilities. This model allows the Viterbi algorithm to efficiently find the maximum likelihood key. Solving the Running Key Cipher with the Viterbi Algorithm 363 Markov Chain A Markov chain models a sequence of random variables by assuming the sequence has local structure [10, 13]. In particular, a Markov chain of order n assumes that if i > n then Pðxijx1 ...xiÀ1Þ¼PðxijxiÀn ...xiÀ1Þ.A(n þ 1)-gram language model is a Markov chain of order n. Viterbi Algorithm The Viterbi algorithm is a dynamic programming algorithm used for finding the most probable sequence of hidden states, assuming that this sequence follows a Markov model [10, 13]. It uses recursion to compute this sequence. Let n be the order of the Markov chain used in the language model. Let ViÀn...iðkiÀn ...kiÞ be the probability of the most probable partial key beginning at position i under the condition that the key values at positions i À n ...i are kiÀn ...ki. Let miðkiÞ be the message letter at position i determined by key letter ki and the ciphertext letter at position i. Then each entry is the product of three terms: ViÀn...iðkiÀn...iÞ¼T1 Á T2 Á T3 T1 ¼ PðkijkiÀn ...kiÀ1Þ T2 ¼ PðmiðkiÞjmiÀnðkiÀnÞ ...miÀ1ðkiÀ1ÞÞ T3 ¼ max½ViðnÀ1Þ...iþ1ðkiðnÀ1Þ ...kiþ1Þ kiþ1 In practice, this is done in log space where probabilities (PðxÞ) are replaced by costs (À logðPðxÞÞ), multiplication is replaced by addition, and maximization of prob- ability is replaced by minimization of cost. Figure 2 illustrates how this method finds Figure 2. This table is filled by the Viterbi algorithm from right to left during solution of the running key cipher message ‘LHHYI’ using a 3-gram language model (an order 2 Markov chain). After all entries have been filled, the optimal solution can be read from left to right, following the indicated path. Here the most likely (message, key) pair is (‘STORE,’ ‘TO THE’). In each column, each (message, key) pair is repeated as a (key, message) pair when the partial key and corresponding partial message are not identical. This symmetry can be exploited to reduce the size of the table by about half. 364 A. Griffing the most likely solution to a running key ciphertext. In this figure, the areas of the dark gray rectangles associated with each entry are proportional to the T1 and T2 components of the cost, and the light gray area is proportional to the T3 component. nþ1 For each position i > n, the table ViÀn...i has 26 entries. Procedure Two experiments were performed. The first experiment was a comparison with the approach in [1], so it used the same training set and attempted to solve the same ciphertext using the same n-gram sizes. The second experiment attempted a more general evaluation by using many texts from Project Gutenberg [6]. For both experi- ments, time and memory requirements restricted the n-gram size to a maximum of 6 letters. Comparison Procedure As in [1], the first 1000 letters of Dracula were enciphered using the first 1000 letters of The Cask of Amontillado as the running key [12, 9]. This ciphertext was solved by the Viterbi algorithm using n-gram sizes between 1 and 6, where the conditional probabilities for the Markov chain were calculated using maximum likelihood esti- mation, i.e., without smoothing, using the union of [12] and [9] as the training text. Results of this comparison are shown in Figure 3. General Evaluation Procedure All of the English language text from Project Gutenberg that had been converted to the etext id naming system was downloaded, very small files were removed, the headers and footers were stripped, and the set of files was divided evenly and randomly into a training set and a testing set. An n-gram language model was trained using the training set for each n between 1 and 6. The conditional probabilities were calculated by Witten-Bell smoothing rather than by maximum likelihood estimation [14]. Figure 3. This is a direct comparison between the results of the Viterbi algorithm (solid line) and the results reported in [1] (dashed line). Both methods used n-gram statistics to solve a running key cipher made by combining the first 1000 characters of Dracula [12] with the first 1000 characters of The Cask of Amontillado (in [9]).
Recommended publications
  • Codebusters Coaches Institute Notes
    BEING COVER AGENT FIXED DELAY, PILOT RIGHT PLANE, CATCH SMALL RADIO (CODEBUSTERS) This is the first year CodeBusters will be a National event. A few changes have been made since the North Carolina trial event last year. 1. The Atbash Cipher has been added. 2. The running key cipher has been removed. 3. K2 alphabets have been added in addition to K1 alphabets 4. Hill Cipher decryption has been added with a given decryption matrix. 5. The points scale has been doubled, but the timing bonus has been increased by only 50% in order to further balance the test. 1 TYPES OF PROBLEMS 1.1 ARISTOCRAT (EASY TO HARD DIFFICULTY) http://www.cryptograms.org/tutorial.php An Aristocrat is the typical Crypto-quote you see in the newspaper. Word spaces are preserved. No letter will stand for itself and the replacement table is given as a guide (but doesn’t need to be filled in by the team to get credit). FXP PGYAPYF FIKP ME JAKXPT AY FXP GTAYFMJTGF THE EASIEST TYPE OF CIPHER IS THE ARISTOCRAT A B C D E F G H I J K L M N O P Q R S T U V W X Y Z Frequency 4 1 6 3 1 2 2 2 6 3 3 4 Replacement I F T A Y C P O E R H S 1.2 ARISTOCRATS WITH SPELLING AND/OR GRAMMAR ERRORS (MEDIUM TO VERY HARD DIFFICULTY) For these, either words will be misspelled or grammatical errors introduced. From a student perspective, it is what they might expect when someone finger fumbles a text message or has a bad voice transcription.
    [Show full text]
  • The Mathemathics of Secrets.Pdf
    THE MATHEMATICS OF SECRETS THE MATHEMATICS OF SECRETS CRYPTOGRAPHY FROM CAESAR CIPHERS TO DIGITAL ENCRYPTION JOSHUA HOLDEN PRINCETON UNIVERSITY PRESS PRINCETON AND OXFORD Copyright c 2017 by Princeton University Press Published by Princeton University Press, 41 William Street, Princeton, New Jersey 08540 In the United Kingdom: Princeton University Press, 6 Oxford Street, Woodstock, Oxfordshire OX20 1TR press.princeton.edu Jacket image courtesy of Shutterstock; design by Lorraine Betz Doneker All Rights Reserved Library of Congress Cataloging-in-Publication Data Names: Holden, Joshua, 1970– author. Title: The mathematics of secrets : cryptography from Caesar ciphers to digital encryption / Joshua Holden. Description: Princeton : Princeton University Press, [2017] | Includes bibliographical references and index. Identifiers: LCCN 2016014840 | ISBN 9780691141756 (hardcover : alk. paper) Subjects: LCSH: Cryptography—Mathematics. | Ciphers. | Computer security. Classification: LCC Z103 .H664 2017 | DDC 005.8/2—dc23 LC record available at https://lccn.loc.gov/2016014840 British Library Cataloging-in-Publication Data is available This book has been composed in Linux Libertine Printed on acid-free paper. ∞ Printed in the United States of America 13579108642 To Lana and Richard for their love and support CONTENTS Preface xi Acknowledgments xiii Introduction to Ciphers and Substitution 1 1.1 Alice and Bob and Carl and Julius: Terminology and Caesar Cipher 1 1.2 The Key to the Matter: Generalizing the Caesar Cipher 4 1.3 Multiplicative Ciphers 6
    [Show full text]
  • Recommendation for Block Cipher Modes of Operation Methods
    NIST Special Publication 800-38A Recommendation for Block 2001 Edition Cipher Modes of Operation Methods and Techniques Morris Dworkin C O M P U T E R S E C U R I T Y ii C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 December 2001 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Phillip J. Bond, Under Secretary of Commerce for Technology National Institute of Standards and Technology Arden L. Bement, Jr., Director iii Reports on Information Security Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.
    [Show full text]
  • Polish Mathematicians Finding Patterns in Enigma Messages
    Fall 2006 Chris Christensen MAT/CSC 483 Machine Ciphers Polyalphabetic ciphers are good ways to destroy the usefulness of frequency analysis. Implementation can be a problem, however. The key to a polyalphabetic cipher specifies the order of the ciphers that will be used during encryption. Ideally there would be as many ciphers as there are letters in the plaintext message and the ordering of the ciphers would be random – an one-time pad. More commonly, some rotation among a small number of ciphers is prescribed. But, rotating among a small number of ciphers leads to a period, which a cryptanalyst can exploit. Rotating among a “large” number of ciphers might work, but that is hard to do by hand – there is a high probability of encryption errors. Maybe, a machine. During World War II, all the Allied and Axis countries used machine ciphers. The United States had SIGABA, Britain had TypeX, Japan had “Purple,” and Germany (and Italy) had Enigma. SIGABA http://en.wikipedia.org/wiki/SIGABA 1 A TypeX machine at Bletchley Park. 2 From the 1920s until the 1970s, cryptology was dominated by machine ciphers. What the machine ciphers typically did was provide a mechanical way to rotate among a large number of ciphers. The rotation was not random, but the large number of ciphers that were available could prevent depth from occurring within messages and (if the machines were used properly) among messages. We will examine Enigma, which was broken by Polish mathematicians in the 1930s and by the British during World War II. The Japanese Purple machine, which was used to transmit diplomatic messages, was broken by William Friedman’s cryptanalysts.
    [Show full text]
  • Index-Of-Coincidence.Pdf
    The Index of Coincidence William F. Friedman in the 1930s developed the index of coincidence. For a given text X, where X is the sequence of letters x1x2…xn, the index of coincidence IC(X) is defined to be the probability that two randomly selected letters in the ciphertext represent, the same plaintext symbol. For a given ciphertext of length n, let n0, n1, …, n25 be the respective letter counts of A, B, C, . , Z in the ciphertext. Then, the index of coincidence can be computed as 25 ni (ni −1) IC = ∑ i=0 n(n −1) We can also calculate this index for any language source. For some source of letters, let p be the probability of occurrence of the letter a, p be the probability of occurrence of a € b the letter b, and so on. Then the index of coincidence for this source is 25 2 Isource = pa pa + pb pb +…+ pz pz = ∑ pi i=0 We can interpret the index of coincidence as the probability of randomly selecting two identical letters from the source. To see why the index of coincidence gives us useful information, first€ note that the empirical probability of randomly selecting two identical letters from a large English plaintext is approximately 0.065. This implies that an (English) ciphertext having an index of coincidence I of approximately 0.065 is probably associated with a mono-alphabetic substitution cipher, since this statistic will not change if the letters are simply relabeled (which is the effect of encrypting with a simple substitution). The longer and more random a Vigenere cipher keyword is, the more evenly the letters are distributed throughout the ciphertext.
    [Show full text]
  • Secure Communications One Time Pad Cipher
    Cipher Machines & Cryptology © 2010 – D. Rijmenants http://users.telenet.be/d.rijmenants THE COMPLETE GUIDE TO SECURE COMMUNICATIONS WITH THE ONE TIME PAD CIPHER DIRK RIJMENANTS Abstract : This paper provides standard instructions on how to protect short text messages with one-time pad encryption. The encryption is performed with nothing more than a pencil and paper, but provides absolute message security. If properly applied, it is mathematically impossible for any eavesdropper to decrypt or break the message without the proper key. Keywords : cryptography, one-time pad, encryption, message security, conversion table, steganography, codebook, message verification code, covert communications, Jargon code, Morse cut numbers. version 012-2011 1 Contents Section Page I. Introduction 2 II. The One-time Pad 3 III. Message Preparation 4 IV. Encryption 5 V. Decryption 6 VI. The Optional Codebook 7 VII. Security Rules and Advice 8 VIII. Appendices 17 I. Introduction One-time pad encryption is a basic yet solid method to protect short text messages. This paper explains how to use one-time pads, how to set up secure one-time pad communications and how to deal with its various security issues. It is easy to learn to work with one-time pads, the system is transparent, and you do not need special equipment or any knowledge about cryptographic techniques or math. If properly used, the system provides truly unbreakable encryption and it will be impossible for any eavesdropper to decrypt or break one-time pad encrypted message by any type of cryptanalytic attack without the proper key, even with infinite computational power (see section VII.b) However, to ensure the security of the message, it is of paramount importance to carefully read and strictly follow the security rules and advice (see section VII).
    [Show full text]
  • John F. Byrne's Chaocipher Revealed
    John F. Byrne’s Chaocipher Revealed John F. Byrne’s Chaocipher Revealed: An Historical and Technical Appraisal MOSHE RUBIN1 Abstract Chaocipher is a method of encryption invented by John F. Byrne in 1918, who tried unsuccessfully to interest the US Signal Corp and Navy in his system. In 1953, Byrne presented Chaocipher-encrypted messages as a challenge in his autobiography Silent Years. Although numerous students of cryptanalysis attempted to solve the challenge messages over the years, none succeeded. For ninety years the Chaocipher algorithm was a closely guarded secret known only to a handful of persons. Following fruitful negotiations with the Byrne family during the period 2009-2010, the Chaocipher papers and materials have been donated to the National Cryptologic Museum in Ft. Meade, MD. This paper presents a comprehensive historical and technical evaluation of John F. Byrne and his Chaocipher system. Keywords ACA, American Cryptogram Association, block cipher encryption modes, Chaocipher, dynamic substitution, Greg Mellen, Herbert O. Yardley, John F. Byrne, National Cryptologic Museum, Parker Hitt, Silent Years, William F. Friedman 1 Introduction John Francis Byrne was born on 11 February 1880 in Dublin, Ireland. He was an intimate friend of James Joyce, the famous Irish writer and poet, studying together in Belvedere College and University College in Dublin. Joyce based the character named Cranly in Joyce’s A Portrait of the Artist as a Young Man on Byrne, used Byrne’s Dublin residence of 7 Eccles Street as the home of Leopold and Molly Bloom, the main characters in Joyce’s Ulysses, and made use of real-life anecdotes of himself and Byrne as the basis of stories in Ulysses.
    [Show full text]
  • Shift Cipher Substitution Cipher Vigenère Cipher Hill Cipher
    Lecture 2 Classical Cryptosystems Shift cipher Substitution cipher Vigenère cipher Hill cipher 1 Shift Cipher • A Substitution Cipher • The Key Space: – [0 … 25] • Encryption given a key K: – each letter in the plaintext P is replaced with the K’th letter following the corresponding number ( shift right ) • Decryption given K: – shift left • History: K = 3, Caesar’s cipher 2 Shift Cipher • Formally: • Let P=C= K=Z 26 For 0≤K≤25 ek(x) = x+K mod 26 and dk(y) = y-K mod 26 ʚͬ, ͭ ∈ ͔ͦͪ ʛ 3 Shift Cipher: An Example ABCDEFGHIJKLMNOPQRSTUVWXYZ 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 • P = CRYPTOGRAPHYISFUN Note that punctuation is often • K = 11 eliminated • C = NCJAVZRCLASJTDQFY • C → 2; 2+11 mod 26 = 13 → N • R → 17; 17+11 mod 26 = 2 → C • … • N → 13; 13+11 mod 26 = 24 → Y 4 Shift Cipher: Cryptanalysis • Can an attacker find K? – YES: exhaustive search, key space is small (<= 26 possible keys). – Once K is found, very easy to decrypt Exercise 1: decrypt the following ciphertext hphtwwxppelextoytrse Exercise 2: decrypt the following ciphertext jbcrclqrwcrvnbjenbwrwn VERY useful MATLAB functions can be found here: http://www2.math.umd.edu/~lcw/MatlabCode/ 5 General Mono-alphabetical Substitution Cipher • The key space: all possible permutations of Σ = {A, B, C, …, Z} • Encryption, given a key (permutation) π: – each letter X in the plaintext P is replaced with π(X) • Decryption, given a key π: – each letter Y in the ciphertext C is replaced with π-1(Y) • Example ABCDEFGHIJKLMNOPQRSTUVWXYZ πBADCZHWYGOQXSVTRNMSKJI PEFU • BECAUSE AZDBJSZ 6 Strength of the General Substitution Cipher • Exhaustive search is now infeasible – key space size is 26! ≈ 4*10 26 • Dominates the art of secret writing throughout the first millennium A.D.
    [Show full text]
  • Applications of Search Techniques to Cryptanalysis and the Construction of Cipher Components. James David Mclaughlin Submitted F
    Applications of search techniques to cryptanalysis and the construction of cipher components. James David McLaughlin Submitted for the degree of Doctor of Philosophy (PhD) University of York Department of Computer Science September 2012 2 Abstract In this dissertation, we investigate the ways in which search techniques, and in particular metaheuristic search techniques, can be used in cryptology. We address the design of simple cryptographic components (Boolean functions), before moving on to more complex entities (S-boxes). The emphasis then shifts from the construction of cryptographic arte- facts to the related area of cryptanalysis, in which we first derive non-linear approximations to S-boxes more powerful than the existing linear approximations, and then exploit these in cryptanalytic attacks against the ciphers DES and Serpent. Contents 1 Introduction. 11 1.1 The Structure of this Thesis . 12 2 A brief history of cryptography and cryptanalysis. 14 3 Literature review 20 3.1 Information on various types of block cipher, and a brief description of the Data Encryption Standard. 20 3.1.1 Feistel ciphers . 21 3.1.2 Other types of block cipher . 23 3.1.3 Confusion and diffusion . 24 3.2 Linear cryptanalysis. 26 3.2.1 The attack. 27 3.3 Differential cryptanalysis. 35 3.3.1 The attack. 39 3.3.2 Variants of the differential cryptanalytic attack . 44 3.4 Stream ciphers based on linear feedback shift registers . 48 3.5 A brief introduction to metaheuristics . 52 3.5.1 Hill-climbing . 55 3.5.2 Simulated annealing . 57 3.5.3 Memetic algorithms . 58 3.5.4 Ant algorithms .
    [Show full text]
  • Substitution Ciphers
    Foundations of Computer Security Lecture 40: Substitution Ciphers Dr. Bill Young Department of Computer Sciences University of Texas at Austin Lecture 40: 1 Substitution Ciphers Substitution Ciphers A substitution cipher is one in which each symbol of the plaintext is exchanged for another symbol. If this is done uniformly this is called a monoalphabetic cipher or simple substitution cipher. If different substitutions are made depending on where in the plaintext the symbol occurs, this is called a polyalphabetic substitution. Lecture 40: 2 Substitution Ciphers Simple Substitution A simple substitution cipher is an injection (1-1 mapping) of the alphabet into itself or another alphabet. What is the key? A simple substitution is breakable; we could try all k! mappings from the plaintext to ciphertext alphabets. That’s usually not necessary. Redundancies in the plaintext (letter frequencies, digrams, etc.) are reflected in the ciphertext. Not all substitution ciphers are simple substitution ciphers. Lecture 40: 3 Substitution Ciphers Caesar Cipher The Caesar Cipher is a monoalphabetic cipher in which each letter is replaced in the encryption by another letter a fixed “distance” away in the alphabet. For example, A is replaced by C, B by D, ..., Y by A, Z by B, etc. What is the key? What is the size of the keyspace? Is the algorithm strong? Lecture 40: 4 Substitution Ciphers Vigen`ere Cipher The Vigen`ere Cipher is an example of a polyalphabetic cipher, sometimes called a running key cipher because the key is another text. Start with a key string: “monitors to go to the bathroom” and a plaintext to encrypt: “four score and seven years ago.” Align the two texts, possibly removing spaces: plaintext: fours corea ndsev enyea rsago key: monit orsto gotot hebat hroom ciphertext: rcizl qfkxo trlso lrzet yjoua Then use the letter pairs to look up an encryption in a table (called a Vigen`ere Tableau or tabula recta).
    [Show full text]
  • Algorithms and Mechanisms Historical Ciphers
    Algorithms and Mechanisms Cryptography is nothing more than a mathematical framework for discussing the implications of various paranoid delusions — Don Alvarez Historical Ciphers Non-standard hieroglyphics, 1900BC Atbash cipher (Old Testament, reversed Hebrew alphabet, 600BC) Caesar cipher: letter = letter + 3 ‘fish’ ‘ilvk’ rot13: Add 13/swap alphabet halves •Usenet convention used to hide possibly offensive jokes •Applying it twice restores the original text Substitution Ciphers Simple substitution cipher: a=p,b=m,c=f,... •Break via letter frequency analysis Polyalphabetic substitution cipher 1. a = p, b = m, c = f, ... 2. a = l, b = t, c = a, ... 3. a = f, b = x, c = p, ... •Break by decomposing into individual alphabets, then solve as simple substitution One-time Pad (1917) Message s e c r e t 18 5 3 17 5 19 OTP +15 8 1 12 19 5 7 13 4 3 24 24 g m d c x x OTP is unbreakable provided •Pad is never reused (VENONA) •Unpredictable random numbers are used (physical sources, e.g. radioactive decay) One-time Pad (ctd) Used by •Russian spies •The Washington-Moscow “hot line” •CIA covert operations Many snake oil algorithms claim unbreakability by claiming to be a OTP •Pseudo-OTPs give pseudo-security Cipher machines attempted to create approximations to OTPs, first mechanically, then electronically Cipher Machines (~1920) 1. Basic component = wired rotor •Simple substitution 2. Step the rotor after each letter •Polyalphabetic substitution, period = 26 Cipher Machines (ctd) 3. Chain multiple rotors Each rotor steps the next one when a full
    [Show full text]
  • Cryptanalysis of the ``Kindle'' Cipher
    Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Cryptanalysis of the “Kindle” Cipher Alex Biryukov, Gaëtan Leurent, Arnab Roy University of Luxembourg SAC 2012 A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 1 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Cryptography: theory and practice In theory In practice ▶ Random Oracle ▶ Algorithms ▶ ▶ Ideal Cipher AES ▶ SHA2 ▶ Perfect source of ▶ RSA randomness ▶ Modes of operation ▶ CBC ▶ OAEP ▶ ... ▶ . Random Number Generators ▶ Hardware RNG ▶ PRNG A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 2 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Cryptography in the real world Several examples of flaws in industrial cryptography: ▶ Bad random source ▶ SLL with 16bit entropy (Debian) ▶ ECDSA with fixed k (Sony) ▶ Bad key size ▶ RSA512 (TI) ▶ Export restrictions... ▶ Bad mode of operation ▶ CBCMAC with the RC4 streamcipher (Microsoft) ▶ TEA with DaviesMeyer (Microsoft) ▶ Bad (proprietary) algorithm ▶ A5/1 (GSM) ▶ CSS (DVD forum) ▶ Crypto1 (MIFARE/NXP) ▶ KeeLoq (Microchip) A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 3 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion . Amazon Kindle ▶ Ebook reader by Amazon ▶ Most popular ebook reader (≈ 50% share) ▶ 4 generations, 7 devices ▶ Software reader for 7 OS, plus cloud reader ▶ Several million devices sold ▶ Amazon sells more ebooks than paper books ▶ Uses crypto for DRM (Digital Rights Management) A. Biryukov, G. Leurent, A. Roy (uni.lu) Cryptanalysis of the “Kindle” Cipher SAC 2012 4 / 22 Introduction PC1 Known-plaintext key-recovery Ciphertext only key-recovery Conclusion .
    [Show full text]